Bugzilla – Bug 804392
VUL-1: CVE-2013-0292: dbus-1-glib: DBUS signal spoofing
Last modified: 2016-01-04 12:29:05 UTC
We should ensure that this patch is added before adding fprintd (bnc#792095): http://dbus.freedesktop.org/releases/dbus-glib/dbus-glib-0.100.1.tar.gz http://dbus.freedesktop.org/releases/dbus-glib/dbus-glib-0.100.1.tar.gz.asc http://cgit.freedesktop.org/dbus/dbus-glib/commit/?id=166978a09cf5edff4028e670b6074215a4c75eca otherwise, pam_fprintd can be bypassed.
Update for Factory prepared and submitted to the devel project: Request: #155799 submit: home:dimstar:branches:Base:System/dbus-1-glib(cleanup) -> Base:System Message: - Update to version 0.100.1: + dbus-gproxy: Verify sender of NameOwnerChanged signals to be o.f.DBus (CVE-2013-0292, bnc#804392). + Some cleanups. + Other bugs fixed: fdo#23633, fdo#40711, fdo#55729, fdo#55730. State: new 2013-02-19T11:00:33 dimstar Comment: <no comment>
This is an autogenerated message for OBS integration: This bug (804392) was mentioned in https://build.opensuse.org/request/show/155800 Factory / dbus-1-glib
bugbot adjusting priority
can be closed then
as the glib bindings are used by some packages, we need this fix also for the SLE 11 and perhaps also the SLE 10 codebases. (again, it depends on a using package for this problem to be effective)
We are not aware of packages that rely on dbus signals (via dbus-glib) for authentication